sensitive clear-text info

14 May 2016

[ICS] Meteocontrol WEB’log Multiple Vulnerabilities

MeteoControl WEB’log Meteocontrol is a Germany-based company that maintains offices in several countries around the world, including the US, China, Italy, Spain, France, Switzerland, and Israel. The affected products, WEB’log, are web-based SCADA systems that provide functions to manage energy and power configurations in different connected (energy/industrial) devices.

ICS-CERT Advisory


Read on for details & poc.

Read more

03 May 2016

[ICS] Moxa MiiNePort – Multiple Vulnerabilities

Multiple vulnerabilities are present in Moxa MiiNePort. Following versions have been verified, but it is highly probable all other versions are affected as well.

Confirmed Device Models + Firmware versions
Device name MiiNePort_E1_7080
Firmware version 1.1.10 Build 09120714
Device name MiiNePort_E1_4641
Firmware version 1.1.10 Build 09120714
Device name MiiNePort_E2_1242
Firmware version 1.1 Build 10080614
Device name         : MiiNePort_E2_4561
Firmware version    : 1.1 Build 10080614
Model name MiiNePort E3
Firmware version 1.0 Build 11071409
Vulnerability Summary
1. Weak Credentials Management - CVE-2016-2286
2. Sensitive information not protected - CVE-2016-2295
3. Vulnerable to Cross-Site Request Forgery - CVE-2016-2285

ICS-CERT Advisory

Read on for details and poc.

Read more

29 Jan 2016

[ICS] GEDE UPS SNMP Adapter Vulnerabilities

On a recent pentest, I found few vulnerabilities in GE Industrial Solutions - UPS SNMP Adapter. Successful exploitation can lead to arbitrary command execution as superuser on the device, and sensitive information leakage.

GE Advisory:|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf

ICS-CERT Advisory:

Affected Products
• All SNMP/Web Interface cards with firmware version prior to 4.8 manufactured by GE Industrial Solutions.


Read on for details and poc.

Read more

21 Dec 2015

LG-Nortel ADSL modem Multiple Vulnerabilities

A while back in April - May 2015, on a pentest in Sydney, I was testing a LG-Nortel ADSL modem for a customer. This device model is heavily deployed by Optus in Australia (Sydney) for its SOHO broadband customers. I found several security flaws on the device which I then reported to appropriate teams.

(Potential) Estimated deployment size is 20-30% of customer base. Optus, CERT-US, CERT-AU, are aware of these issues.

Ownership of this model by LG Nortel could not be identified. <--- The issues are not fixed.

This device may very well be used by other Service Providers and / or in other locations. I am not sure if & how this device might connect back to Optus network. If it does connect / talk back, it'd be interesting what impact it can create.

Read on for details & poc.

Read more

28 Nov 2015

Cambium ePMP 1000 – Multiple vulnerabilities

A couple of weeks back, I came across Cambium ePMP devices. I found multiple vulnerabilities in Cambium ePMP 1000 devices, and as always, attempted to work with the vendor. But you know how most vendor(s) handle a responsible disclosure. Poorly.

Hence, documenting these findings and proof of concepts now.

Read on for details.

Read more